New pkg audit FNs

Steve Wills swills at
Mon Oct 9 21:09:44 UTC 2017


On 10/09/2017 16:34, Jan Beich wrote:
> Matthew Seaman <matthew at> writes:
>> On 09/10/2017 16:57, Roger Marquis wrote:
>>> Can anyone say what mechanisms the ports-security team might have in
>>> place to monitor CVEs and port software versions? 

I've been hacking at a prototype for scanning what I can find:

It's more of a proof of concept than anything. The entry for this issue 
is still incomplete though, and the web page for it lists it as "waiting 
for analysis":

>>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
>>> there's no mention of it in the vulnerability database  The tomcat8

It looks like it's there to me:

And added days ago.

>>> port's Makefile also still points to the older, vulnerable version.

True, the maintainer needs to update it. I've copied him on this message.

>>> Tomcat is one of those popular, internet-facing applications that sites
>>> need to check and/or update quickly when CVEs are released and most
>>> admins probably don't expect "pkg audit" to throw false negatives.
>> Ports-secteam (and secteam, for that matter) will update VuXML when they
>> know about vulnerabilities that affect FreeBSD ports, however the usual
>> mechanism is that the port maintainer either updates VuXML themselves
>> directly or tells the appropriate people that there are vulnerabilities
>> that need to be recorded.

Correct, but it doesn't have to be the port maintainer, anyone can 
submit a bug report with a patch to ports/security/vuxml/vuln.xml

> What happened to querying CVE database using CPE strings? ENOTIME is a
> common disease in volunteer projects, ports-secteam@ is no exception.
> Finding missing entries is trivial if one looks at Debian tracker.
> Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
> are fixed in the port.

Indeed, I've wanted to try matching up ports/packages to the CVE entries 
by using CPE data. I will try to look at that again, but as always 
patches welcome.

I'll try to add the missing tiff entries and any others anyone cares to 
point out.


More information about the freebsd-ports mailing list